PHP Login and Form Questions

He has: 2 posts

Joined: Oct 2012

Any suggestions on a tutorial for a login script for PHP that is secure enough to keep out malicious attacks, but on the same token, there won't be any critical personal information in the database other than email addresses and names (no bank info or social security or anything like that).

I've got a basic understanding of PHP, but not enough to come up with a secure login system on the fly.

I've got a bit started, a page which lets you create an account and adds the info to the database. Got that aspect working. If successful, it will take you to the login page... which doesn't work. Somethings wrong in the code, because no matter what username or password you enter, you get an error, even if the info is correct.

Also, if anyone has suggestions as far as preventing someone from using the create account form to maliciously enter info into the database, that'd be helpful as well. A lot of what I've been able to find via GOOGLE looks to be outdated and/or beyond my scope of understanding (lines upon lines of code for each input... I imagine there must be a simpler solution...)

Brian Scott

greg's picture

He has: 1,581 posts

Joined: Nov 2005

The basic starting point is to ensure people are entering data that you want them to, so only data that suits the form field they're using.

EG if you have a DATE entry, there should only be numeric chars entered, no alpha or other chars like !"£$ etc. AGE would be numeric only, username you may want to limit to alphanumeric, etc..

If you start by limiting their entry to what they should be doing, your on the way to maintaining security as you'll naturally remove their ability to enter various bad chars like apostrophes and quotes, and also ensure you get useful info too, like alpha only for names, and numeric for dates, age etc.

You also need to check the total characters they used in a string. So if they're entering 3 chars for DAY when it should be 2, or 100 chars for name when it should be max 40 etc, you can issue an error to them without even touching the DB with the info, it's all done in PHP until you're happy with their data.
This also ensures users are entering the correct data to suit your database structure. Such as USERNAME may be a varchar(40), so you limit them entering 40 chars, otherwise you end up with a headache in your DB and, for example, logins wont work.
(HTML's form "maxlength" is easy to get around so checking in PHP is essential)

You should always check all data as outlined above before even thinking about accessing your DB.
Once you've sanitised those checks and you're happy they've entered sensible info and data that suits the fields they using, then the script can move on to the DB part and store it.
It might still be rubbish or nonsense, but there's no easy way to stop that, important thing is it'll be safe and correctly formatted to store in your DB.

As you're ready to insert, you should also ALWAYS use mysql_real_escape_string on all data before entering into the DB. (although you should be using MySQLi or PDO_MySQL these days)

tbcproductions wrote:
there won't be any critical personal information in the database other than email addresses and names

There is - their passwords are saved in the DB. So make sure you're hashing passwords before saving (MD5/SHA etc) if your database is compromised and you're saving in plaintext, all your users' accounts can be accessed by whoever has the data.
SALT is a more secure addition, but not completely essential unless you have high security requirements.

tbcproductions wrote:

If successful, it will take you to the login page... which doesn't work. Somethings wrong in the code, because no matter what username or password you enter, you get an error, even if the info is correct.

Either the PHP code is invalid, or you're doing something wrong with the data.

Is the data correct in the database? Echo it out onto the page.
Are you entering the correct data that matches the DB data?
Is the final PHP script which attempts login getting the correct data as above two questions?

Try echoing all relevant variables and printing arrays you're working with, sometimes it's something simple/obvious you've missed along the way. Showing all the data that PHP is working with behind the scenes that you wouldn't normally see can highlight the issue.

If it's a PHP specific error, feel free to paste the code and we'll take a look Smiling

Cheers

Nullified's picture

They have: 12 posts

Joined: Sep 2012

ensure you setup the db fields to only store the type of data it is suppose to.
ensure you escape all session vars ($_REQUEST/$_POST/$_GET)
ensure you escape all sql queries
ensure you strip all malicious characters from form data
md5 (hash) anything you would like to keep private
ensure valid use of session/cookie data and keep your sessions clean

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.